<H2>Is Jetty secure? </H2>
<FONT COLOR="#000099"><B>(Or, to quote Gandalf:  Is it Secret? Is it Safe?)</B></FONT>
<P>

Against the spec (ie giving access only to resources that the 
servlet spec allows for) we have historicly had a few security issues.
However we have more often been in the role of finding a problem in
all servlet implementations and driving the fix.  We have at times
raised CERT secuirty advisories on all servlet containers.
<P>
For general security (can the server be used to break into a system),
we have never had an issue.   Jetty does not call exec other than
in the CGI servlet - which is easy to configure out.   No network
supplied data is used for loading classes.  The WEB-INF/lib and
WEB-INF/classes directories are strongly protected from read and write.
<P>
However, Jetty is not hardened against hostile code.   There are probably
security issues if you run untrusted Servlets within Jetty.  However the
servlet spec itself has several security problems when running untrusted
servlets.
<P>
Jetty does allow permission files to be configured per context, thus can
be configured to restrict access to the system and libraries from servlet code.
However, there may still be some risk of a hostile servlet changing some
Jetty configuration.  A security audit is recommended if you wish to run
untrusted servlets.
<P>
It is also simple to configure down Jetty to only include the handler that
you need.  Thus avoiding potential problems.
<P>
But there are no guarentees with free software.  If you are really concerned
then I suggest you get some consulting for an audit of your actual deployment.

<P>

<A HREF="index.html" TITLE="Back to JettyFAQ"><IMG SRC="/jetty/images/info_sm.gif" BORDER="0"><BR
CLEAR="bottom"> JettyFaq</A>
<BR><BR>
